Security Experts:

Waterbug Threat Group Targeted Systems in Over 100 Countries: Symantec

Symantec has published a new whitepaper detailing the activities of a threat group dubbed by the security firm “Waterbug.”

Waterbug is the attack group previously known for cyber espionage campaigns leveraging toolkits such as Turla (also known as Snake or Uroburos) and Epic Turla (also known as Wipbot or Tavdig).

The group is believed to be active since at least 2005. Its activities became known back in 2008 when one of the pieces of malware associated with it, the notorious Agent.BTZ, was used in an attack aimed at the United States military.

According to Symantec, Waterbug successfully compromised more than 4,500 systems across over 100 countries, targeting government institutions, research and education facilities, embassies, and other high-profile organizations.

The group uses two techniques to infect targeted devices with malware: spear phishing emails containing malicious attachments, and a vast distribution network comprised of at least 84 compromised websites.

One of the spear phishing emails spotted by Symantec in December 2013 carried a harmless-looking PDF document designed to exploit an Adobe Reader zero-day in combination with a Windows vulnerability in order to distribute Trojan.Wipbot.

The distribution network, dubbed by the security firm “Venom,” is used for watering hole attacks designed to target certain users.

“These compromised websites are located in many different countries and were used in a watering-hole style operation in which the attackers monitored and filtered visitors to those websites and focused on the ones of interest for further action. The collection of compromised websites acted like a drag net designed to gather potential targets of interest,” Symantec said in the report.

The compromised websites are mainly located in France, Germany, Romania and Spain. Roughly half of these sites belong to government organizations, and publishing and media companies. What many of the websites have in common is the use of the content management system (CMS) TYPO3, and the fact that they reside on the same net block linked to certain hosting providers, Symantec noted.

In addition to Trojan.Wipbot, the attackers have also distributed Trojan.Turla, which they use to collect and exfiltrate data from infected machines.

Researchers have identified four variants of Trojan.Turla: SAV, FA, ComRAT, and Carbon. The threats, previously detailed by other security companies, use shared components.

In its report, Symantec has pointed out that the use of zero-days, the sophisticated malware, the large network of compromised websites, and the nature of the targets indicate that Waterbug is a state-sponsored group. While the company has not named any country, other security firms believe the threat might have Russian roots.

The complete whitepaper on Waterbug is available online.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.